(Cat? OR feline) AND NOT dog?
Cat? W/5 behavior
(Cat? OR feline) AND traits
Cat AND charact*

This guide provides a more detailed description of the syntax that is supported along with examples.

This search box also supports the look-up of an IP.com Digital Signature (also referred to as Fingerprint); enter the 72-, 48-, or 32-character code to retrieve details of the associated file or submission.

Concept Search - What can I type?

For a concept search, you can enter phrases, sentences, or full paragraphs in English. For example, copy and paste the abstract of a patent application or paragraphs from an article.

Concept search eliminates the need for complex Boolean syntax to inform retrieval. Our Semantic Gist engine uses advanced cognitive semantic analysis to extract the meaning of data. This reduces the chances of missing valuable information, that may result from traditional keyword searching.

Method and Algorithm to Efficiently Evaluate Hierarchical Access Permissions on Objects and Attributes

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is an efficient method for hierarchical access control using a Relational database management system (RDBMS) as the Access Control Lists (ACL) data store for application specific object operations and attribute operations.

Country

Undisclosed

Language

English (United States)

This text was extracted from a PDF file.

This is the abbreviated version, containing approximately
21% of the total text.

1

Method and Algorithm to Efficiently Evaluate Hierarchical Access Permissions on
Objects and Attributes

Data stores such as Lightweight Directory Access Protocol (LDAP) offer a way to define
all aspects of an organization in an hierarchical structure. Applications managing LDAP
objects need to ensure that application users have the appropriate privileges before
performing operations on specific objects or object attributes. Access privileges are
typically defined through Access Control Lists (ACLs). Theoretically, hierarchical ACLs
may be stored in LDAP, but data stores such as LDAP do not lend themselves well to
ACL evaluations because evaluation requires multiple and expensive searches and
traversals of the organizational tree.

The novel solution is an efficient method for hierarchical access control using a
Relational database management system (RDBMS) as the ACL data store for
application specific object operations and attribute operations.

1. Sequence of data store searches across the organizational hierarchy for
applicable ACLs

2. Post-processing done in code to evaluate the applicable ACLs in the context of
the permission being checked

Inefficient access checks run a risk of degrading the user experience. During a working
session, applications frequently check access privileges for logged-in users. If a
sequence of inefficient authorization checks is required to operate on an object through
a user interface, then the user experiences a perceptible decrease in system
responsiveness at almost every moment of the interaction with the system. The
improvement discussed here proposes a technique in which all ACLs are stored in
RDBMS and individual authorization decision may be obtained through a single fast
performing Structured Query Language (SQL) query.

Checking access requires a decision about whether the specified permission on the
given protection target is granted to the given system user (ACI principal). Such a
decision is derived by searching for ACLs applicable to the user and determining
whether to grant or deny the user the given permission. ACL definition may protect
objects at the same organizational unit (single-level SCOPE=0) or objects at the same
organizational unit and any units below (sub-tree SCOPE=1). TARGET_CLASS
contains a name to identify the class of object protected (e.g., an LDAP objectclass
name).

One advantage of the technique described here is that it is not coupled to any particular
data store containing the objects to be protected. The LDAP server is one example of
such a data store. Applications using RDBMS, Object-Oriented Relational DBMS

2

(OORDBMS), and other types of data stores for storing organizational data may be
easily adapted to use this technique.

The T_BU and T_BU_HIERARCHY tables shown below relate the organizational unit
structure stored in a data store such as LDAP to the corresponding parent-child
associations in...